The IT Nerd

If you’re an iOS user, you have a really dangerous piece of malware to worry about. Called XcodeGhost, it affects stock and jailbroken iOS devices. MacRumors has a FAQ on this new threat, but here’s what you need to know:

A malicious version of Xcode was uploaded to Chinese cloud file sharing service Baidu and downloaded by some iOS developers in China. 

Chinese developers then unknowingly compiled iOS apps using the modified Xcode IDE and distributed those infected apps through the App Store. 

Those apps then managed to pass through Apple’s code review process, enabling iOS users to install or update the infected apps on their devices. 

Lovely. There’s more:

Palo Alto Networks has shared a full list of over 50 infected iOS apps, including WeChat, NetEase Cloud Music, WinZip, Didi Chuxing, Railway 12306, China Unicom Mobile Office and Tonghuashun. 

Plus there’s this:

iOS apps infected with XcodeGhost malware can and do collect information about devices and then encrypt and upload that data to command and control (C2) servers run by attackers through the HTTP protocol. The system and app information that can be collected includes: 

• Current time 
• Current infected app’s name 
• The app’s bundle identifier 
• Current device’s name and type 
• Current system’s language and country 
• Current device’s UUID 
• Network type Palo Alto Networks also discovered that infected iOS apps can receive commands from the attacker through the C2 server to perform the following actions: 
• Prompt a fake alert dialog to phish user credentials; 
• Hijack opening specific URLs based on their scheme, which could allow for exploitation of vulnerabilities in the iOS system or other iOS apps; 
• Read and write data in the user’s clipboard, which could be used to read the user’s password if that password is copied from a password management tool.

So, if you have any of the apps on Palo Alto’s list, you need to uninstall them right now. Then you should reset your device password and your iCloud password. In the meantime, Apple might want to look at their code review process as these apps passed through it and got out to the world. That’s not good.

UPDATE: Reuters reports that Apple has pulled any and all apps that have this malware.

This entry was posted on September 20, 2015 at 4:30 pm and is filed under Commentary with tags Apple. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.